<html>
<head><meta charset="utf-8"><title>Yet another security allert from npm · t-compiler/rust-analyzer · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/185405-t-compiler/rust-analyzer/index.html">t-compiler/rust-analyzer</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/185405-t-compiler/rust-analyzer/topic/Yet.20another.20security.20allert.20from.20npm.html">Yet another security allert from npm</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="164872022"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/185405-t-compiler/rust-analyzer/topic/Yet%20another%20security%20allert%20from%20npm/near/164872022" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> matklad <a href="https://rust-lang.github.io/zulip_archive/stream/185405-t-compiler/rust-analyzer/topic/Yet.20another.20security.20allert.20from.20npm.html#164872022">(May 04 2019 at 15:06)</a>:</h4>
<p>Does anyone know what <a href="https://github.com/rust-analyzer/rust-analyzer/network/alert/code/package-lock.json/tar/open" target="_blank" title="https://github.com/rust-analyzer/rust-analyzer/network/alert/code/package-lock.json/tar/open">https://github.com/rust-analyzer/rust-analyzer/network/alert/code/package-lock.json/tar/open</a> means?</p>



<a name="164872023"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/185405-t-compiler/rust-analyzer/topic/Yet%20another%20security%20allert%20from%20npm/near/164872023" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> matklad <a href="https://rust-lang.github.io/zulip_archive/stream/185405-t-compiler/rust-analyzer/topic/Yet.20another.20security.20allert.20from.20npm.html#164872023">(May 04 2019 at 15:06)</a>:</h4>
<p><a href="/user_uploads/4715/smVph_LiqtrooZJMIGj0dXZI/pasted_image.png" target="_blank" title="pasted_image.png">pasted image</a></p>
<div class="message_inline_image"><a href="/user_uploads/4715/smVph_LiqtrooZJMIGj0dXZI/pasted_image.png" target="_blank" title="pasted image"><img src="/user_uploads/4715/smVph_LiqtrooZJMIGj0dXZI/pasted_image.png"></a></div>



<a name="164872056"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/185405-t-compiler/rust-analyzer/topic/Yet%20another%20security%20allert%20from%20npm/near/164872056" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> matklad <a href="https://rust-lang.github.io/zulip_archive/stream/185405-t-compiler/rust-analyzer/topic/Yet.20another.20security.20allert.20from.20npm.html#164872056">(May 04 2019 at 15:06)</a>:</h4>
<p>We don't have <code>tar</code> anywhere?</p>



<a name="164872057"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/185405-t-compiler/rust-analyzer/topic/Yet%20another%20security%20allert%20from%20npm/near/164872057" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> matklad <a href="https://rust-lang.github.io/zulip_archive/stream/185405-t-compiler/rust-analyzer/topic/Yet.20another.20security.20allert.20from.20npm.html#164872057">(May 04 2019 at 15:06)</a>:</h4>
<p><a href="https://github.com/rust-analyzer/rust-analyzer/search?utf8=%E2%9C%93&amp;q=tar&amp;type=" target="_blank" title="https://github.com/rust-analyzer/rust-analyzer/search?utf8=%E2%9C%93&amp;q=tar&amp;type=">https://github.com/rust-analyzer/rust-analyzer/search?utf8=%E2%9C%93&amp;q=tar&amp;type=</a></p>



<a name="164872416"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/185405-t-compiler/rust-analyzer/topic/Yet%20another%20security%20allert%20from%20npm/near/164872416" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> detrumi <a href="https://rust-lang.github.io/zulip_archive/stream/185405-t-compiler/rust-analyzer/topic/Yet.20another.20security.20allert.20from.20npm.html#164872416">(May 04 2019 at 15:11)</a>:</h4>
<p>Maybe some js tool uses <code>tar</code> somewhere?</p>



<a name="164872503"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/185405-t-compiler/rust-analyzer/topic/Yet%20another%20security%20allert%20from%20npm/near/164872503" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> detrumi <a href="https://rust-lang.github.io/zulip_archive/stream/185405-t-compiler/rust-analyzer/topic/Yet.20another.20security.20allert.20from.20npm.html#164872503">(May 04 2019 at 15:12)</a>:</h4>
<p><code>npm</code> itself depends on <code>tar</code>, so that might be it even</p>



<a name="164874397"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/185405-t-compiler/rust-analyzer/topic/Yet%20another%20security%20allert%20from%20npm/near/164874397" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Florian Diebold <a href="https://rust-lang.github.io/zulip_archive/stream/185405-t-compiler/rust-analyzer/topic/Yet.20another.20security.20allert.20from.20npm.html#164874397">(May 04 2019 at 15:38)</a>:</h4>
<p>it's talking about <code>code/package-lock.json</code> which isn't the current path, so maybe it's referring to some old branch</p>



<a name="164874413"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/185405-t-compiler/rust-analyzer/topic/Yet%20another%20security%20allert%20from%20npm/near/164874413" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Florian Diebold <a href="https://rust-lang.github.io/zulip_archive/stream/185405-t-compiler/rust-analyzer/topic/Yet.20another.20security.20allert.20from.20npm.html#164874413">(May 04 2019 at 15:40)</a>:</h4>
<p>hm no, I can't find any branch where that's the path</p>



<a name="164874464"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/185405-t-compiler/rust-analyzer/topic/Yet%20another%20security%20allert%20from%20npm/near/164874464" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Florian Diebold <a href="https://rust-lang.github.io/zulip_archive/stream/185405-t-compiler/rust-analyzer/topic/Yet.20another.20security.20allert.20from.20npm.html#164874464">(May 04 2019 at 15:40)</a>:</h4>
<p>and it's actually pointing at the path in master, which results in a 404 <span aria-label="thinking" class="emoji emoji-1f914" role="img" title="thinking">:thinking:</span></p>



<a name="164874683"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/185405-t-compiler/rust-analyzer/topic/Yet%20another%20security%20allert%20from%20npm/near/164874683" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> matklad <a href="https://rust-lang.github.io/zulip_archive/stream/185405-t-compiler/rust-analyzer/topic/Yet.20another.20security.20allert.20from.20npm.html#164874683">(May 04 2019 at 15:46)</a>:</h4>
<p>pruned old branches just in case</p>



<a name="164908562"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/185405-t-compiler/rust-analyzer/topic/Yet%20another%20security%20allert%20from%20npm/near/164908562" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> matklad <a href="https://rust-lang.github.io/zulip_archive/stream/185405-t-compiler/rust-analyzer/topic/Yet.20another.20security.20allert.20from.20npm.html#164908562">(May 05 2019 at 08:13)</a>:</h4>
<p>just squashed the alert manually :c</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>